You should avoid case 2 by distributing a physical qvw to users if you need this kind of security because AFAIK each way to ensure an application like macros or section access could be bypassed by experienced users (with some time).
What Anand mentioned is exactly what you are looking for. The hidden script protected by a password does not affect in your users opening the document without being prompted for any credentials, it only prompts for password when the QVW is open locally using QlikView Desktop and Show Hidden Script is selected from the File menu in the script dialog.
You could use section access and adding all users unless yourself and some admin-users like your server-account user as USER in ACCESS. Then you could adjust various options within the document properties tab security and also setting adjusting some of the sheet- and object-properties (no moving, read only, ...) - but like already mentioned you shouldn't make the qvw itself available else just using only the access point.